ietf-smime
[Top] [All Lists]

New ASN.1 modules comments/questions

2008-04-21 09:51:02

Jim and Paul,

Here are some comments/questions on the ASN.1 modules.

spt

-------------------

The definitions of AlgorithmIdentifier in the PKIX and SMIME modules are
different - is there a reason for the difference? Does it matter? In PKIX
it's AlgorithmSet, in SMIME it's InfoObjectSet, in RFC2976 it's IOSet, in
ANSI X9 docs it's also IOSet, and in X.509 it's SupportedAlgorithms. If it
matters, then I guess I lean towards what's in RFC2976 since it's already in
an RFC.

-------------------

In the 3370 section,

 1. Shouldn't AlgorithmIdentifier be imported from the PKIX module?

 2. You used alg- as tag for hash algs, sig- for signature algs, kea- for
key agreement algs, alg- for symmetric key encryption algs.  I think it
might be easier to figure out which algs go where if the tag matches the
type of algorithm like mda- for MessageDigestAlgorithms, sa- for
SignatureAlgorithms, and kaa- for KeyAgreementAlgorithms. 

 3. Could we change SymmetricKeyEncryptionAlgorithms to just
KeyWrapAlgorithms and use kwa- as the tag? There's also a KeyWrapAlgorithm
that I think is supposed to be the same as the
SymmetricKeyEncryptionAlgorithms so one or the other can get deleted (if you
delete the later change SupportKeyWrapAlgorithms to KeyWrapAlgorithms)?

 4. Shouldn't SymmetricKeyEncryptionAlgorithms be extensible?

 5. Do we need to add a MessageAuthenticationCodeAlgorithms for the hmac
alg? Then we could use maca- in front of the hMAC-SHA1.

 6. Some of the IOSets are {...} (like SignatureAlgorithms) while others
lists algorithms (like MessageDigestAlgorithms) - shouldn't all of them list
algorithms or none?

-------------------

In the 3565 section, I think the algorithms need to be defined using the new
syntax, import ALGORITHM, and define the algs as follows:

  ContentEncryptionAlgorithms ALGORITHM ::= { 
     cea-aes128-cbc   | 
     cea-aes192-cbc   | 
     cea-aes256-cbc, 
     ... -- Extensible 
     } 

   cea-aes128-cbc ALGORITHM ::= { 
     OID id-aes128-CBC PARMS AES-IV } 

   cea-aes192-cbc ALGORITHM ::= { 
     OID id-aes192-CBC PARMS AES-IV } 

   cea-aes256-cbc ALGORITHM ::= { 
     OID id-aes256-CBC PARMS AES-IV }

  KeyWrapAlgorithms ALGORITHM ::= { 
     kwa-aes128 | 
     kwa-aes192 | 
     kwa-aes256, 
     ... -- Extensible 
   } 

   kwa-aes128 ALGORITHM ::= { 
     OID id-aes128-wrap PARMS ABSENT } 

   kwa-aes192 ALGORITHM ::= { 
     OID id-aes192-wrap PARMS ABSENT } 

   kwa-aes256 ALGORITHM ::= { 
     OID id-aes256-wrap PARMS ABSENT } 

-------------------

In the 3851 section, shouldn't SMimeAttributeSet be extensible? r/{
attr-smimeCapabilities | attr-encrypKeyPref }/{ attr-smimeCapabilities |
attr-encrypKeyPref, ... }

-------------------

In the 3852 section,

 1. OID for PKIX1 module doesn't match the new PKIX asn ID OID - I think it
should be id-pkix-explict(19) instead of (18).

 2. Are you going to remove the version notations [[3:, [[4:, etc?

 3. For consistency with 3370, can we change DigestAlgorithmList to
MessageDigestAlgorithms?

 4. For consistency, can we change UnsigedAttributes to
UnsignedAttributesSet and UnprotectedAttributes to UnprotectedAttribuesSet?

 5. In AuthenticatedData, SupportedAttributes is used in AuthAttributes and
UnauthAttributes. In AuthAttributes, can we change SupportAttributes to
AuthAttributesSet and in UnauthAttributes can we change SupportedAttributes
to UnauthAttributesSet?

 6. For consistency with the 3370 section, can we change
SignatureAlgorithmList to SignatureAlgorithms, DigestAlgorithmList to
MessageDigestAlgorithms, KeyAgreementAlgorithmList to
KeyAgreementAlgorithms, and ContentEncryptionAlgorithmLists to
ContentEncryptionAlgorithms?

 7. Can we change KeyDerivationAlgorithmIdentifier to use
KeyDerivationAlgorithms instead of AlgorithmList?

 8. Can we change MessageAuthenticationCodeAlgorithm to use
MessageAuthenticationCodeAlgorithms instead of AlgorithmList?

 9. Don't we want to define an OriginatorPKAlgorithms instead of using
AlgorithmList in OriginatorPublicKey:

       OriginatorPublicKey ::= SEQUENCE {
         algorithm AlgorithmIdentifier {{OriginatorPKAlgorithms}},
         publicKey BIT STRING
       }

       OriginatorPKAlgorithms ALGORITHM ::= {
         ... -- Extensible
       }

 10. For consistency, can we change KeyEncryptionAlgorithmList to be
KeyEncryptionAlgorithms?

-------------------

In the 4108 section, can we make FirwareContentTypes and FirmwareSignedAttrs
extensible?

-------------------

In the 4998 section,

 1. Shouldn't we constrain the digestAlgorithms and digestAlgorithm?

 2. Should the import for Attribute come from PKIX or RFC3852 update module?

 3. Why is Extensions and EXTENSION imported?

-------------------

In the 5035 section,

 1. Why is Extensions and EXTENSION imported?

 2. Should the import for Attribute come from PKIX or RFC3852 update module?

 3. OID for PKIX1 module doesn't match the new PKIX asn ID OID - I think it
should be id-pkix-explict(19) instead of (18).

 4. Should EssSignedAttributes be SignedAttributes? Should it also be
extensible?

 5. Should EssContentTypes be just ContentSet?

 6. Is the note about the identical SecurityCategories encoding required
anymore?

 7. Shouldn't we say HashAlgorithms ::= MessageDigestAlgorithms instead of
HashAlgorithms ::= AlgorithmIdentifier {{...}}?

 8. Shouldn't we import the shaa256 alg?

-------------------

In the 5084 section, we should import ALGORITHM from PKIX and define the
algorithms as follows:

   ContentEncryptionAlgorithms ALGORITHM ::= { 
     cea-aes128-ccm   | 
     cea-aes192-ccm   | 
     cea-aes256-ccm   | 
     cea-aes128-gcm   | 
     cea-aes128-gcm   | 
     cea-aes128-gcm, 
     ... -- Extensible 
     } 

   cea-aes128-ccm ALGORITHM ::= { 
     OID id-aes128-CCM PARMS CCMParameters } 

   cea-aes192-ccm ALGORITHM ::= { 
     OID id-aes192-CCM PARMS CCMParameters } 

   cea-aes256-ccm ALGORITHM ::= { 
     OID id-aes256-CCM PARMS CCMParameters } 

   cea-aes128-gcm ALGORITHM ::= { 
     OID id-aes128-GCM PARMS GCMParameters } 

   cea-aes192-gcm ALGORITHM ::= { 
     OID id-aes192-GCM PARMS GCMParameters } 

   cea-aes256-gcm ALGORITHM ::= { 
     OID id-aes256-GCM PARMS GCMParameters } 

<Prev in Thread] Current Thread [Next in Thread>
  • New ASN.1 modules comments/questions, Turner, Sean P. <=